Privacy

Privacy Policy

This policy explains what Skylos collects, why it is used, which providers support the service, and how to contact us about data requests.

Last updated: May 25, 2026

Local-first CLI

Local CLI scans do not require a login or upload code to Skylos Cloud unless you choose a cloud workflow.

Cloud uploads

Cloud features may store scan metadata, findings, snippets, and team workflow records needed for history and review.

Optional AI

AI triage, remediation, and compliance reports send selected context only when a user triggers those features.

Information we collect

  • Account and authentication data from GitHub and Supabase, including identifiers needed to sign you in and maintain a workspace.
  • Workspace, organization, project, member, role, billing, and credit metadata needed to operate Skylos Cloud.
  • Scan uploads and public scan results, including findings, severity, rule IDs, file paths, line numbers, optional snippets, scan metadata, and optional provenance, defense, debt, or compliance evidence.
  • Optional integration settings for GitHub, Slack, Discord, and project API keys. Project API keys are stored as hashes.
  • Billing checkout, payment, invoice, refund, and entitlement records processed through Lemon Squeezy.
  • Marketing analytics data such as page path, referrer origin, UTM fields, page title, coarse user agent, and first-touch attribution stored in session storage.
  • Support and security messages you send to Skylos.

How we use it

  • Provide authentication, workspace access, scan history, comparisons, triage, exports, PR workflows, billing, and support.
  • Enforce permissions, upload limits, abuse controls, rate limits, security monitoring, audit logging, and fraud prevention.
  • Operate optional AI-assisted triage, remediation, and compliance report features only when a user triggers them.
  • Measure aggregate marketing performance and improve public pages without storing source code from local-only CLI scans.
  • Comply with legal, tax, accounting, security, and contractual obligations.

Providers and sharing

Skylos uses service providers to operate the product. We do not sell personal information, and we do not use third-party ad networks in the product.

  • Vercel for hosting, edge delivery, deployment, and web analytics.
  • Supabase for authentication, Postgres, row-level security, object storage, and server-side data access.
  • GitHub for OAuth, GitHub App workflows, repository metadata, pull request workflows, and OIDC identity.
  • Lemon Squeezy for checkout, payments, invoices, refunds, taxes, and billing records.
  • OpenAI for optional user-triggered AI features such as triage, fixes, and compliance reports.
  • Slack and Discord only when a workspace configures notification integrations.

Retention and choices

Scan history retention depends on the active plan: Free workspaces have shorter retention, Team workspaces currently retain scan history for 90 days, and Enterprise workspaces currently retain scan history for 365 days.

You can use the local CLI without an account, disconnect optional integrations, clear browser storage, or ask us to access, correct, export, or delete account data where required.

Billing, tax, security, abuse-prevention, and audit records may be retained as needed for legitimate business, legal, and security obligations.

Contact

For privacy requests, email founder@skylos.dev. For security reports, use the security policy.